Re: How to use date-time field from event as span ...

tkwaller_2 · ‎04-04-2018

Hello

I have a field in my events that is named info_date_resReviewed in format "2017-09-24 00:00:00" and I'd like to use it as search delimiters. So really you could enter an earliest/latest "info_date_resReviewed" and get results based on the span of this field.

So
earliest ="info_date_resReviewed" and latest="info_date_resReviewed"

I was thinking dropdowns with available "info_date_resReviewed" and then using the tokens but havent gotten it to work. Any suggestions?

Thanks!

adonio · ‎04-04-2018

hello there,
splunk can use this format: "10/5/2016:20:00:00" for earliest= and latest=
first, modify your time to match this format using strptime or convert or other method.
than you can create a form input for earliest and latest, have the form inputs for latest dynamic and present only values greater than the value you chose for earliest to avoid conflict
create a dashboard with search/es, panels (or base search) that starts with earliest="$earliest$" latest="$latest$" and add your queries.

hope it helps

How to use date-time field from event as span for search in Dashboard

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How to use date-time field from event as span for search in Dashboard

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine